what will resolve this problem?

— Exhibit –user@host> show security flow session

Session ID. 41, Policy name: allow/5, Timeout: 20, Valid
In: 172.168.66.143/43886 –> 192.168.100.1/5000;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
Out: 10.100.1.100/5555 –> 172.168.66.143/43886;tcp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0
user@host> show configuration

security {
nat {
destination {
pool server {
address 10.100.1.100/32 port 5555;
}
rule-set rule1 {
from zone UNTRUST;
rule 1 {
match {
destination-address 192.168.100.1/32;
destination-port 5000;
}
then {
destination-nat pool server;
}
}
}
}
proxy-arp {

interface ge-0/0/1.0 {
address {
192.168.100.1/32;
}
}
}
}
policies {
from-zone UNTRUST to-zone TRUST {
policy allow {
match {
source-address any;
destination-address any;
application [ junos-ping tcp-5000 ];
}
then {
permit;
}
}
}
}
zones {
security-zone TRUST {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
protocols {

all;
}
}
}
}
}
security-zone UNTRUST {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
}
}
applications {
application tcp-5000 {
protocol tcp;
destination-port 5000;
}
}
— Exhibit —

Click the Exhibit button.
Your customer is attempting to reach your new server that should be accessible publicly using
192.168.100.100 on TCP port 5000, and internally using 10.100.100.1 on TCP port 5555. You
notice a session forms when they attempt to access the server, but they are unable to reach the
server.
Referring to the exhibit, what will resolve this problem?

— Exhibit –user@host> show security flow session

Session ID. 41, Policy name: allow/5, Timeout: 20, Valid
In: 172.168.66.143/43886 –> 192.168.100.1/5000;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
Out: 10.100.1.100/5555 –> 172.168.66.143/43886;tcp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0
user@host> show configuration

security {
nat {
destination {
pool server {
address 10.100.1.100/32 port 5555;
}
rule-set rule1 {
from zone UNTRUST;
rule 1 {
match {
destination-address 192.168.100.1/32;
destination-port 5000;
}
then {
destination-nat pool server;
}
}
}
}
proxy-arp {

interface ge-0/0/1.0 {
address {
192.168.100.1/32;
}
}
}
}
policies {
from-zone UNTRUST to-zone TRUST {
policy allow {
match {
source-address any;
destination-address any;
application [ junos-ping tcp-5000 ];
}
then {
permit;
}
}
}
}
zones {
security-zone TRUST {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
protocols {

all;
}
}
}
}
}
security-zone UNTRUST {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
}
}
applications {
application tcp-5000 {
protocol tcp;
destination-port 5000;
}
}
— Exhibit —

Click the Exhibit button.
Your customer is attempting to reach your new server that should be accessible publicly using
192.168.100.100 on TCP port 5000, and internally using 10.100.100.1 on TCP port 5555. You
notice a session forms when they attempt to access the server, but they are unable to reach the
server.
Referring to the exhibit, what will resolve this problem?

A.
There must be a TRUST-to-UNTRUST security policy to allow return traffic.

B.
The NAT pool server address must be changed to 10.100.100.1/32.

C.
The NAT pool server port must be changed to 5000.

D.
The NAT rule set rule1 must match on address 172.168.66.143.

Explanation:



Leave a Reply 5

Your email address will not be published. Required fields are marked *


JNCSP-MIKE

JNCSP-MIKE

Yes only B!!!

The packet flow says that DST Nat is done before the policy look up, therefore the port that needs to be allowed would be 5555 not TCP-5000 in the security policy because of the NAT

JNCSP-MIKE

JNCSP-MIKE

Wrong question, this is the answer for question 20.

The answer for this question (18) is to change the IP address.

Sorry for my mistake.